Current time: 11-24-2024, 11:12 AM Hello There, Guest! (LoginRegister)


Post Reply 
Zusätzliche Firewall (Shorewall)
Author Message
jmeyerdo Offline
Junior Member
*

Posts: 173
Joined: Oct 2007
Reputation: 2
Post: #1
Zusätzliche Firewall (Shorewall)
Hallo!

Ich würde gerne wirklich nur bestimmte Ports nach außen hin frei geben und die Firewall nicht nur zum Traffic-Logging verwenden.
Habe dazu jetzt mal die Shorewall installiert. Wenn ich nach dem Start der Shorewall das Skript "ispcp-network" restarte, scheinen auch alle Rules korrekt drin zu sein.
Oder sieht da jemand Überschneidungen/Probleme?
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ISPCP_INPUT  all  --  anywhere             anywhere
eth0_in    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:'
reject     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
eth0_fwd   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ISPCP_OUTPUT  all  --  anywhere             anywhere
eth0_out   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject     all  --  anywhere             anywhere

Chain Drop (2 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  all  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:ssdp
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain ISPCP_INPUT (1 references)
target     prot opt source               destination
           tcp  --  anywhere             anywhere            tcp dpt:smtp
           tcp  --  anywhere             anywhere            tcp dpt:imap
           tcp  --  anywhere             anywhere            tcp dpt:pop3
           tcp  --  anywhere             anywhere            tcp dpt:http
RETURN     all  --  anywhere             anywhere

Chain ISPCP_OUTPUT (1 references)
target     prot opt source               destination
           tcp  --  anywhere             anywhere            tcp spt:smtp
           tcp  --  anywhere             anywhere            tcp spt:imap
           tcp  --  anywhere             anywhere            tcp spt:pop3
           tcp  --  anywhere             anywhere            tcp spt:http
RETURN     all  --  anywhere             anywhere

Chain Reject (4 references)
target     prot opt source               destination
reject     tcp  --  anywhere             anywhere            tcp dpt:auth
dropBcast  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
dropInvalid  all  --  anywhere             anywhere
reject     udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
reject     tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere            udp dpt:ssdp
dropNotSyn  tcp  --  anywhere             anywhere
DROP       udp  --  anywhere             anywhere            udp spt:domain
Chain all2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Reject     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:'
reject     all  --  anywhere             anywhere

Chain dropBcast (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4

Chain dropInvalid (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (2 references)
target     prot opt source               destination

Chain eth0_fwd (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
smurfs     all  --  anywhere             anywhere            state INVALID,NEW
tcpflags   tcp  --  anywhere             anywhere

Chain eth0_in (1 references)
target     prot opt source               destination
dynamic    all  --  anywhere             anywhere            state INVALID,NEW
smurfs     all  --  anywhere             anywhere            state INVALID,NEW
tcpflags   tcp  --  anywhere             anywhere
net2fw     all  --  anywhere             anywhere

Chain eth0_out (1 references)
target     prot opt source               destination
fw2net     all  --  anywhere             anywhere

Chain fw2net (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
Chain logflags (5 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            LOG level info ip-options prefix `Shorewall:logflags:DROP:'
DROP       all  --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere

Chain net2all (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
Drop       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:'
DROP       all  --  anywhere             anywhere

Chain net2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
reject     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
Drop       all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:net2fw:DROP:'
DROP       all  --  anywhere             anywhere

Chain reject (12 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            ADDRTYPE match src-type BROADCAST
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain shorewall (0 references)
target     prot opt source               destination

Chain smurfs (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0              anywhere
LOG        all  --  anywhere             anywhere            ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurf
s:DROP:'
DROP       all  --  anywhere             anywhere            ADDRTYPE match src-type BROADCAST
LOG        all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

Chain tcpflags (2 references)
target     prot opt source               destination
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags   tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST
logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN
logflags   tcp  --  anywhere             anywhere            tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
Gibt es andere Tipps zur Verwendung einer erweiterten Firewall mit ISPCP?

Viele Grüße, Jens
02-04-2008 09:58 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
Zusätzliche Firewall (Shorewall) - jmeyerdo - 02-04-2008 09:58 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)